Steve Charles

OPINION

Cyber getting baked into more procurements

A new but not widely noticed provision in the recent White House Executive Order 13636 will mean a major change in federal procurement. The order, a companion directive accompanying Presidential Policy Directive 21, established a multi-agency work group that has been asking industry and federal agencies how cybersecurity could be made a baseline requirement in all acquisitions.

Not just buys of specific cybersecurity products, but of any items or services that somehow touch critical infrastructure. That’s a broad range of potential acquisitions.

If you sell software, any piece of electronic hardware, or systems integration services to the federal government, you need to know about the so-called DOD-GSA Section 8(e) Working Group. The output of this working group will eventually result in new Federal Acquisition Regulations covering anything with a potential cybersecurity element.

This is no long range effort. The EO, which came out in February, gave the working group 120 days to come up with its recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

The machinery necessary to get a FAR change implemented won’t produce the intended change overnight. But it’s not too early to start positioning your products in terms of how they support or enhance cybersecurity.

Basically, the administration wants to get as much cybersecurity progress as it can in the absence of legislation from an uncooperative Congress. It can only do so much with industry by fiat. But it can indirectly get more from industry by leveraging authority over federal agencies. Nothing new here, just a new application of advancing cyber policy via the government’s buying power.

Luckily, industry had the chance to weigh in, and presumably the task force is evaluating comments.

The working group has people from Defense, Homeland Security, and GSA. The group’s specific job is to carry out Section 8(e) of White House Executive Order for embedding cybersecurity requirements into all federal acquisition planning and procurement processes.

The working group, in a request for information, came up with 37 questions, grouped into three themes:

  • Is it feasible to incorporate cybersecurity standards into federal buys in the first place?
  • What are commercial procurement practices when it comes to cyber?
  • Would acquisitions containing specific cybersecurity requirements conflict with existing laws, regulations, or even common practices? If so, what should we do about it?

Comments have closed, but it’s not too late to become involved. At the least, read the executive order, especially Sections 7 and 8. Make sure it gets top management attention, especially if your company is headquartered outside of the Washington region where they might not be in tune with uniquely federal dynamics.

The questions are extensive, and probably no single individual can answer all of them. But since industry is helping prepare a dish companies will eventually be served, here are some things to keep in mind:

Understand that in seeking this public input, the working group defines cybersecurity rather widely, to include supply chain risk management and software assurance. Think about where your company would have potential responsibility. In PPD-21 and in the executive order, the White House is merging federal activities to deal with cyber and physical critical infrastructure threats.

Form a team to stay abreast of what the working group comes up with. There will be further chances to comment once its recommendations become actual proposed new rules, subject to the standard rule-making process.

From a sales standpoint, it’s time to start role-playing your approach. Ask yourself how you’d position your products in solicitations where cybersecurity and critical infrastructure protection warranties are included as boilerplate. For example:

  • Pre-solicitation, how will your sales messages raise the bar objectively so solicitations are reflecting the latest cybersecurity capability?
  • Long-term, what role will your company play in helping set the standards and best practices of today, and keep them evolving in the months, years, and decades to come?

We think it’s vital to future sales that marketers of any product with electronic hardware and software take an active role in shaping whatever cyber-related FAR changes emerge.

Apathy could result in industry becoming saddled with the burden and liability for cybersecurity. Or it could inadvertently freeze standards in contracting language while the real threat morphs at light speed.

Clearly we need to get this regulatory framework right, particularly those of us in the world of commercial-off-the-shelf IT.

Reader Comments

Tue, Jun 4, 2013

Based on the Monday May 13th entry in the Federal Register (27967 first column lines 13 and 14) comments close on June 12th, 2013. Perhaps there was an update that we missed?

Tue, May 28, 2013 Bill Caelli Australia

Wow - "C2 by '92" again?? Perhaps everyone should read the introduction and preface to the original "Orange Book" or TCSEC of 1983, then 1985 - yes 30 years ago. The problem wasn't definition of requirements - it was making such acquisition COMPULSORY! and REALLY mandatory under REAL penalties to procuring officers who just ignored the specs or claimed "oops - budgetary considerations!"

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!